Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/9/2020
02:00 PM
Nick Tausek
Nick Tausek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

No STEM, No Problem: How to Close the Security Workforce Gap

Those who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even if their backgrounds aren't rooted in cybersecurity.

The shortage of skilled information security workers persists — and continues to grow — for the simple reason that demand continues to exceed supply. But organizations will have a greater supply of talent than they realize if they can change their approach to uncovering it.

The search for cybersecurity professionals traditionally begins and ends by looking for candidates with backgrounds in science, technology, engineering, and mathematics (STEM). But security operations centers (SOCs) and others looking to fill the infosec skills gap could broaden their search by looking for people with analytical, inquisitive minds and other talents that make for a good security analyst or other IT professional. They may well find the talent pool runs deeper than an HR-driven checklist can reveal.

Outside the Academic Envelope
The most recent annual Cybersecurity Workforce Study by (ISC)2 found a shortage of 2.8 million cybersecurity professionals around the world, with about 500,000 in the US alone. To meet the demand, the cyber workforce needs to grow globally by 145% and in the US by 62%, the report found. This is particularly concerning as cyberthreats continue to grow in number, variety, and severity.

Retention is also an issue. Using SOC analysts as an example, entry-level workers in an organization typically come in at Tier 1, with their main responsibilities centered around responding to alerts, checking logs, monitoring user activity and network events, and detecting attacks. Given that the average tenure of a SOC analyst is one to three years, many analysts only experience Tier 1 work in the industry as a whole before leaving due to burnout — just as they are gaining real competence in the field.

Filling the gap is one part of the solution; keeping talent on board is the other.

What Makes a Good Candidate?
An analyst certainly does have to understand computers and networking, as well as how information systems can be exploited, but what makes a good analyst is more than that. The core factors are the ability to be analytical and inquisitive and to come up with creative solutions, as well as to possess research skills and proper documentation and communication skills. Other talents that also come into play include technical writing ability, which often is overlooked. But those abilities don't necessarily surface during an initial screening process.

Finding good candidates to fill cybersecurity analyst positions or other jobs is a two-way street – abilities a SOC should be looking for are the same ones candidates should be exploring. A few of those factors:

  • Certification: As opposed to classroom work, certification gives candidates the opportunity to achieve specific skills. Hiring and SOC managers often look at certifications over higher education. It's one area where skills can be presented on a resume rather than in a portfolio. Outside of the standard certifications for a certain job role, certifications that show a diverse skillset are a great way for candidates to demonstrate their breadth of knowledge and adaptability, two important factors for hiring managers.
  • Practical experience: Candidates should have an efficient, succinct way of showing what they've done in the field, such as working on open source projects, to showcase how they’re contributing to the community at large. Networking (in a social sense) also can't be overstated. It can show an ability to work with others; sometimes who you know can be a big boost, just as in any industry.
  • Scripting ability: Candidates who want to get out of the basic Tier 1 and 2 work will benefit a lot from the ability to program in languages such as Python and Ruby, which are used extensively in cybersecurity.

'Industry Outsider' Talent
Organizations need to adapt their recruiting and hiring processes to increase their chances of attracting the people who would make good analysts, regardless of whether they have extensive experience in information technology or STEM. One approach is to look at candidates' portfolios, rather than resumes, as a measure of their skills. That approach is often utilized at smaller penetration-testing companies, for example, where candidates are assessed on what they can do.

In similar fashion, practical examinations of potential analysts should focus on more than just background and experience. Other things that can be used to screen or evaluate applicants include problem-solving tests, technical writing exercises, and tests designed where the candidate has to learn a new technical skill, use the skill to solve a problem, and document the attempt. Even if the attempt fails, understanding how well and in what way the candidate learns can provide insight about whether that person has the potential to make a good analyst, rather than only looking at candidates who can analyze a pcap file with tcpdump. Yes, this approach would add a level of complexity for HR departments and require greater involvement from the security operations center in the vetting process, but higher involvement is necessary anyway to unearth good candidates.

Sticking with our analyst example from earlier, great analysts can also come from other fields, such as police work, where an experienced investigator can catch up on the technical parts of the job if they already have a mental framework for investigation and analysis, along with the mental agility to reach good conclusions on incomplete evidence.

Ultimately, the most successful people in cybersecurity understand that it's a very complex field with a lot to keep track of, from new attacks and attackers to new tactics and avenues of exploitation. Those who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even when they come from nontraditional backgrounds. It's a constant learning experience and can't be handled alone — it must be done as a community. This should inform our hiring choices as well.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Nick Tausek is a security research engineer at Swimlane, where he focuses on discovering, building, and presenting on different security orchestration, automation and response (SOAR) use cases to solve the biggest security operations challenges. He has extensive experience in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...